IntroductionThis aim of this web page is to give
illustrated examples to help most people get started quickly and easily. This
is not an official SSH website.
I highly recommend also reading at least the following OpenSSH sites, OpenSSH - the home page of OpenSSHOpenssh FAQHere are links to official Ubuntu sites dealing with networking and SSH networkingInternet & Networking - Ubuntu Wiki's Community Docs SSHHowto
- Official
Ubuntu Wiki

SSH is password or key based so you do not need to configure the filter or so-called 'firewall'.

Data is encrypted while it is enroute between computers so it is safe to use over the internet.

SSH works from the command
line, or with 'X11 forwarding', so it can be used in GUI mode too.

SSH networking was used for file rescues back in the
days when USB external drives were expensive. It can still
be used for file rescues if circumstances require it.

SSH LANwith DHCP

ssh003.png

This illustration shows a typical home or small business network. A four
port ADSL broadband modem-router is connected to four PCs in a LAN (short
for 'Local Area Network').
The modem router is connected to
the internet or 'WAN', ( 'Wide Area Network').
No open ports are exposed directly to the internet because the firewall
in the modem-router protects PCs inside the LAN from internet based
intrusions.

How To Set up Your Own SSH LAN

You can have just one 'Server'
computer or you can install the ssh server software in all of your
computers if you want. It's up to you. In my house we find SSH
networking so useful we like all of
our computers to be set up as both clients and servers. Unlike other
forms of networking, Secure Shell networking doesn't
compromise your security and SSH is free so there's no reason why
not.
Traditional Linux style networks tend to have one PC dedicated for use
as the central server with a number of client computers in the LAN all
with connections to the central server.
For simplicity to start off with, let's pretend just one PC will be the server for our SSH LAN.

i)
You will automatically have an administrator's account in the server
computer, that's the account you made when you installed Ubuntu.

You should use
'System'-->'Administration'-->'Users and Groups' to set up
accounts in your server for all of the other users in your LAN. You
will see settings for controlling what each person will be allowed to
do.

You need good strong passwords for each user to start off with. SSH
Networking is the most secure kind of networking you can get, but its security depends on having good strong passwords.
Further down this page there's a how-to for setting up RSA keys for
heightened security, and you can do that later.

ii) You
(as the administrator), should use Linux File Ownership and Permission
rules to control which directories and files each user will be allowed
various grades of access to.
You will notice that
each time you create a new user account there will be a new
/home/username directory made, one for each user.

Notice the IP
address for my ssh server 'black beauty' is now shown in ifconfig as
192.168.1.5

The IP address is something like the server's phone number inside the
LAN. IP addresses are automatically assigned by the router for each
computer in the Local Area Network (LAN).

iv) To confirm that SSH networking is set up in the server, I could use a
different computer in the same LAN and run a port scan on the IP
address 192.168.1.5 and it should show that port
22 is now open. See Port Scanning. (If you want to close port 22 again, simply uninstall SSH).

The IP address 192.168.1.5 for the server is what I need to remember in
the next step when I go to a client computer and I need to type in a
number for what server to connect to.

'Client' computers are computers whicht may be used to make a connection to a 'server', Client Computer.

All Ubuntu
computers have SSH client software installed in them 'out of the box', so no need to install it.

Okay, now we're going to make a connection,

i)
You will need a valid username and password either for the
administrator's account or one of the user accounts you just made in
the server.

ii) Go 'Places'-->'Connect to Server' and you should see something like the following window,

a. I set the top spinbox to SSH.b. The
Server field is for the IP number for the server I want to connect
to, 192.168.1.5c. Port number for SSH is: 22 d. Folder I want to be in when I connect will be: /homee. The user is me: hermanf. The bookmark name is: black-beauty (the name of the server) Then I clicked the 'Connect' button.

I clicked 'Log in Anyway'.

I typed in the user password for the account I want to log in to in the server computer.

Since
this will be a more or less permanent set -up, you might also consider clicking the
radio button for 'remember forever' (the password). That will store
your password for the account in your keyring.
You will be asked to set a
new password for your user keyring if it's the first time you have used
it.
Make sure you save your keyring password somewhere safe.

When not to use
the 'Remember forever' setting would be if you were travelling and
making a connection to home from a public computer such as one in a
library or internet cafe. Connecting from the internet is covered
further down this page.

TIP:
I use Password Manager for remembering all my accounts and passwords and keeping
them securely encrypted. There are a number of other good password programs you can
install and try out, they're all good. Choose one you like which will
store your account details and passwords in encrypted form and will allow you to restore
them easily from a backup.

Well,
that's it! I clicked 'Connect' and a window opened. In it I can see the /home/herman directory in
the server. Now I can read and write to my account in the server and transfer files between the two computers.

A new icon for the SSH connection appeared on my desktop .
If the icon doesn't appear, try rebooting and it should appear then.
I right-clicked on the icon and clicked 'Open', from the right-click menu.

You have set up an SSH connection between one of your client computers and your server. Now all you need to do is repeat this (Step 2) for each client computer in your LAN.

SECURITY NOTE:
If you have any extra file systems such as data drives or USB external
drives mounted in your server while your ethernet cables are plugged
in, be aware that other users with accounts in the server may be able to see inside
those too if they look. This doesn't only apply to SSH, it applies to all kinds of networking.

Some
people would be especially surprised to learn that even data in
encrypted file systems can easily be viewed and browsed by other users
of the server after you have happily unlocked the encrypted file
system and mounted it. File system encryption is good protection
against unauthorised access
to files when some person has physical access to the media. Linux users
and groups plus file ownership and permission rules are the best
protection for your privacy over a network.

SSH Connection with Simple Hardware

You don't need an internet connection or a router with DHCP.
It's possible to use much simpler hardware to connect two or more
PCs.

If you only have a crossover
cable - between two PCs only

or

two ethernet cables and an ethernet hub - any number of PCs possible

You can connect by ssh
but you will need to,
1. Set static IP addresses manually.
Look in 'System'-->'Preferences'-->'Network Connections', and open
the tab for Wired and click on Auto Ethernet and click Edit. The
settings are in the IPv4 tab.
2. you will need to set each computer up
with a different IP address,
3. then you can connect similar to the method
shown above - SSH LAN.
Don't forget to return your settings to DHCP before you try to connect to a DHCP router.

This kind of setup was used for file rescues back in the 'good old
days' when USB external drives were too expensive or not available. The
usual technique was to boot a Gnu/Linux Live CD in the PC with the
disabled operating system, (most often a Windows computer with a
virus), and make an SSH connection between that and another Gnu/Linux
PC for transferring the rescued files to.

SSH with RSA Authentication

Up until now we have been relying on the broadband modem's filter to protect our LAN.

SSH is designed to be secure even across untrusted networks like the
internet. SSH transmits and receives its passwords and data in encrypted form,
so they cannot be read even if they are intercepted while in transit .

To use SSH over the internet we need to use port forwarding in our modem-router settings.
That will expose the SSH Server to possible internet based attempts to
crack into any open ports, so we need more than just password based
authentication. Here is how to switch from password based SSH
authentication to RSA keys for heightened security and more convenience
too.

RSA keys give you far more security than password based logins.

Seahorse -Encryption Made Easy - http://www.gnome.org/projects/seahorse/Seahorse is a nice GUI application that makes and manages both PGP and RSA keys.
Ubuntu comes with Seahorse installed, but there's a secret.
It's not called 'Seahorse' in Ubuntu. Instead it's disguised under a generic name. You can find Seahorse in your client computers easily by going 'System'-->'Preferences'--'Passwords and Encryption Keys'.

We
can use RSA keys for logging in to our SSH accounts without having to bother typing the password each time.
We can use PGP keys for securely encrypting any data and emails, and to sign documents.

Right now we're only concerned with the RSA keys. Seahorse generates for us a pair of keys, a private and a public RSA key.
These are saved is in the .ssh
directory in a file called rd_rsa and a file called id_rsa.pub.
The file called rd_rsa contains our private key which we need to keep secret.
The file called id_rsa.pub contains our public key which can be copied to any SSH Server we want to connect to.

The way it works is something like this, the SSH Server uses your public key to generate a number and encrypts
the number and sets the encrypted number to your computer.
Your computer uses your private RSA key to decrypt the number and sends
the unencrypted number back to the server. When your
SSH Server receives the number back decrypted, that proves the
identity of the computer you are using is genuine, since only your
private key could have decrypted that number. The SSH Server
allows the connection and opens.

When you open an SSH connection to your SSH Server the first time connection you will
be asked for a password,

This happens because the server has used your public key to encrypt a
number and has sent it back to your client. Your client needs
access to its private key to decrypt the number and when it sends that
number back to the server the connection will be verified. The
password you need to type in here is your keyring password for your
client computer, (the computer you're using now to make the connection
from).

People have various kinds of internet connections and networking equipment.Most
networking hardware comes with an installation CD that runs in Windows
and runs the user through a setup wizard of some kind to set up the
equipment. These installation CD-ROMs usually don't auto-run
in Gnu/Linux but don't worry about it. To gain access to your broadband
modem or modem-router from a Gnu/Linux operating system all we need the
equipment's IP address.
This command will find that out for you,

Now all you need to do is copy the modem's IP address and paste
it into your web browser's (Firefox) address bar and press enter or
click the 'go' button.

This should open the login screen for your broadband modem or
modem-router and you can enter your username and password to get access
to your equipment's settings.

You may need the manual that came with your hardware, (recommended).
Normally the easiest place too look first would be in the box the
equipment came in when was new. There might be a paper printed version
or you may find one of those software installation CD's they use for
Windows. The CD will usually contain documents (eg: router manual),
that you really should open and read if you want to be able to get the
most out of your router. If you still can't find your router's
manual, try the internet (google for it), and download it.

Now you should be able to find all the settings in your equipment and adjust everything to your needs.

If
you are setting up an internet connection for a new modem, you'll need you username and password for
your account with your ISP for your internet connection.

Don't
forget to set up a real username and password for the router or modem
so no-one else can go in and make unauthorized changes.

Incidentally,
most routers and other networking equipment run on a Linux kernel and
IPTables filter ('firewall'), with some kind of lightweight, hardware
specific operating system built around it.

TIP: Knowing
how to use the settings in your modem-router is key to getting good
satisfaction from SSH networking. You really should spend some time
reading your modem Router's manual
and familiarising yourself with your router's settings. .

TIP: Add your router's and modem's URL to your Firefox bookmarks so your router settings and logs will always be instantly available for you from now on.

Connect to your SSH servers from anywhere

It is best to test SSH between computers inside your LAN for a little while to make sure
it's working well before progressing to using SSH over the internet.

You
can travel the globe and still be able to access all the files in your
home or office computer or computers if you use SSH Networking.

Port Forwarding Before
you leave home, you just need to make sure a port is open in your
internet modem that leads to your ssh port in your home computer.
That's called 'port forwarding', and the way to do
that depends on what kind of hardware you have. The best way to find out is to read your broadband modem's
documentation.
If that's not convenient for you, here is a link to a
website that shows you how to set up port forwarding with all kinds of
different equipment. PORT Forward.com

TIP:
If your hardware allows it, you may want to forward your SSH
Server's port 22 to some other more obscure port instead. That won't
really hide it from internet crackers, but it's better than just
leaving it as port 22. A high numbered port that isn't used for any
other service
would be best.

TIP: Where your hardware doesn't allow you to change port numbers when you set up port forwarding, you can edit
/etc/ssh/sshd_config and set a different port number for SSH there instead if you like.You can use the command 'less /etc/services'
to see what port numbers not to use,

less /etc/services

TIP: If you have more than one SSH Server in your LAN, then set up port forwarding with a different port number for each server.CanYouSeeMe.org - Open Port Check Tool,
is a useful site to check whether your port forwarding efforts have
worked, that site also shows you your internet IP number too.

CAUTION: You need password based SSH logins disabled and RSA key based
logins established before you set up port forwarding. Port Forwarding
will expose ports in your computers directly to the internet.
See: SSH with RSA Authentication.IP address (External)

You'll need to know your external IP address to connect from the internet

An
'IP address' is like a phone number but it's for a computer. Well,
maybe it would be more accurate in this case to say it's for the
connection between your broadband modem and the internet. Your
broadband modem or modem-router, has an internet IP address. This is
usually assigned to it on a temporary basis by your ISP's router.

This command will find that out for you,

wget -O - -q icanhazip.com

NOTE: You need to have an internet connection for the above command to work.

One Problem: Dynamic IP address
One of the features of some ADSL broadband services in Australia and in
many other countries are that we have dynamic or 'roving' IP addresses
for our internet connections.
Basically
that means every time we reboot the ADSL broadband modem and connect
back up again we will be given a different IP address. They change automatically from time to time too.
That's a security feature to help protect us
and make us more anonymous on the internet. That way it's more difficult for an internet attacker to single out a specific user.

It makes things harder for accessing our SSH Server though.

If
we wanted,
we can apply for a 'fixed IP address', which means we can keep the
same IP address more or less permanently. The only problems with that
is, most ISPs will add about $10 per month to our internel bill
for enabling that option.

A quick and effective solution to this problem is to go get a free domain name, read these two links:DynamicDNS -Ubuntu Community Documentation, and, Dynamic DNS No-IP

I found out that my D-Link modem-router has a built in feature for
updating the dynamic DNS, so I didn't need to install any software in
any of my computers. I just created an account with the D-Link
recommended DNS server and followed the manufacturer's instructions for
configuring the modem-router. That turned out to be very easy to set up
and works great!

Making A ConnectionSo now that you have a Dynamic DNS or at least some way of knowing your home IP address, you can go
somewhere to a remote location (not too far away yet), maybe just to a
neighbour's or to your work place and try connecting by SSH to your home SSH server via the internet.

Setting it up is the same as shown at the top of this page in SSH LAN
except this time in the 'Server' field you need to type in your DNS
Host Name. If you don't have one your home router's external (internet)
IP address will work instead as long as it hasn't changed since you
left home.

If you have more than one SSH Server and you port- forwarded each server to a different port number you should be able to find the server you want by typing the appropriate port number.Now you can travel with your laptop, or even only a netbook and be able to access all the files in your home computers from anywhere in
the world. You could even travel with only youUbuntu-in-a-flash-memory-stick. It's as good as carrying all the information
in your home computers around in your pocket.

control_remote-server

Controlling Your SSH Server Remotely

You
don't really need any GUI to connect with SSH and if you can use the
command line you can tell your server to do almost anything for you,
especially if you have the admin account.

Remotely controlling your SSH server is useful if it happens to be a
'headless' server, (no monitor and maybe no keyboard or mouse of its
own), or if you're away somewhere on the internet and you don't have
physical access to your server.

I hope you all read that tutorial because it explains most of what I
would have said and the author has done a much better job of it than I
would.

About the only thing not already covered by that excellent web page was
what commands a person might typically want to use. You can use any
linux bash commands the same as you would when you're behind any
Gnu/Linux PC. Just a few selected commands can be found here, Command
Line Page.

Remote Booting If
you're planning on being away from home for a long time and you are
interested in saving electricity you might not want to leave your
server running idle 24/7, especially if you're the only user that will
need access to it.

If you take a good look through your server's BIOS settings you might
find it's possible to set your server up for booting automatically from
the BIOS's calendar/clock at
the same time every day.

Even better than having the server booted from your BIOS's timer,
instead you can boot it by the ethernet card from another PC in your
LAN or
even from a remote internet location.

Your server's motherboard
needs to have built in support for WOL, (Wake On Lan). It probably will
if it's less than ten years old. You need to find that feature in the
server's BIOS settings and enable it. See How To Enable the Wake On Lan on the BIOS - gWakeOnLan wiki.

You will need your server's mac address and IP address (from the ifconfig command).
For internet booting you may need a DynamicDNS too, (see above) or at least a way to know your router's IP address on the internet.

Look in Ubuntu Software Center and install gWakeOnLan,
(available from the universe repository) in a client
computer or Ubuntu in a USB drive and use that to boot your sleeping server with.
Here's the link about how to do that: gWakeOnLan

When booting via the internet, allow at minute for the BIOS
screens, ten seconds for your GRUB countdown and a few seconds for
Ubuntu to boot before attempting to log in by SSH.

I have read that it's also possible to boot with GRUB 2 from your
ethernet card (even if your motherboard doesn't support WOL), but I haven't tried that yet. Here's a link to the
Gnu/GRUB Manual, 7 Booting GRUB From the Network.

Remote Shut - Down

After you access your SSH server remotely via the internet you may want to shut
it down when you're done,

sudo shutdown -h +3

This
command will shut down the system (halt) after three
minutes, warning messages are given to any other users to allow
them time to save their work and close any running programs.

Taking Webcam Photos Remotely

You will need to install uvccapture in your server first, (of course).

If the SSH server has a webcam plugged into it, you can log in by SSH
and use this command line program to get the webcam to take pictures
for you,

uvccapture -d/dev/video0 -x640 -y480 -o"photo-001".jpeg

this may be useful if you want to keep an occasional eye on what's
going on at home while you're away. If you don't see the photo in the
/home/username folder in your server try clicking the reload button on
your file browser.Taking Webcam Video Remotely
Somebody has kindly and generously done a nice job of explaining this idea, Link: DIY: Webcam Surveillance System with Ubuntu - taksuyama.com

The following three three letter abreviations all begin with V but they
don't have all that much in common except they all have something to do
with SSH.
VLC - VLC Media Player
VLC Media Player is a program we can install for free in Ubuntu and
it's great for everyday general purpose video watching but it can do
much more than that too. One thing we can use VLC Media Player for is
to watch a movie or monitor a webcam or security camera from a remote
location and this can be tunnelled through SSH for privacy. Here's a
link about that, 'Streaming Webcam over SSH' - moblog.

VNC - VNC Viewer - Virtual Network Computing - wikipediaA program called 'vinagre' is the Gnome Desktop VNC client and server package that comes pre-installed in Ubuntu, vinagre. The server side of is not enabled in a new Ubuntu install, but you can go and enable it any time.

It isn't called 'vinagre' in Ubuntu, instead you can find it by going
1. In the Server: System - Preferences - Remote Desktop
2. In the Client: Applications - Internet - Remote Desktop Viewer

VNC known to be notoriously unsafe if used wrongly. It should be okay
to enable it for the time you
need it and then disable it again as soon as you're finished. VNC
should be safe enough between PCs in your private LAN while it's
protected by your router's firewall, but over the internet it should
be 'tunnelled' through SSH for privacy. You'll see a field in
recent versions of vinagre client for tunneling the connection through
SSH.
'VCN Viewer', aka 'vinagre', aka 'Remote Desktop Viewer' is mainly for
remotely controlling another computer,.
For example your mother's computer
when she phones for help and you're trying to help her do something.
When you're having trouble getting her to understand what you're trying
to
tell her to do you can set up a VNC connection so you can view
her
desktop and take over control of her mouse and keyboard from wherever
you are. That way you can get the job done a lot quicker.
Links: Vinagre Documentation, VNC - Ubuntu Community Docs,

VPN - Virtual Private Network
VPN is supposed to be a step up from SSH for use over the internet.
It's supposed to offer the same security, by encrypting the connection
and data while it's in transit, plus offer more speed for file
transfers and so on.
I haven't tried VPN out yet, but it's on my to-do list. If already know
enough about networking or at least if you've been dilligently trying
out the steps above for setting up SSH then by now you should have
picked up enough of the networking lingo and know-how to be able to
advance to trying out VPN.
Links: Open VPN - openvpn.net | Open VPN - wikipedia

If SSH refuses to connect
If an operating system on the LAN's details have been changed in any
way since the first time an SSH connections was made with that host,
that it can upset SSH's security sensitivities and SSH
can get paranoid and refuse to connect. For example, if the IP number doesn't match the MAC address, or if certain other differences are detected.

This is designed into SSH for security reasons. See 'Man-In-The-Middle-Attack' - wikipedia.
That's
why SSH remembers the details like the MAC addresses and whatever else
it can, and records those in a hidden directory in your computer, so SSH can detect an imposter.You
are reommended to contact the administrator of the
computer you are trying to connect to. If you're sure the connection is
safe, there's a file in the
/home/username/.ssh directory called 'known_hosts' and that's the file
where SSH keeps track of special identifying features of every computer
you have connected to in the past.If
something has changed, such as the operating system has been
re-installed, you will need to delete .ssh/known_hosts to make SSH
forget the old details before you can connect.

sudo rm -rf .ssh/known_hosts

You can make fresh SSH connections again after that. The
Ubuntu system will give you a brand new .ssh directory automatically,
with new connection details in it for the first connection you make. Sometimes a reboot helps. Any other SSH connections will need to be made all over again too.Another
reason SSH might not be able to connect would be if you have changed IP
tables settings in either computer since last time you made a
connection. Naturally you have to configure any firewalls
to
allow the connection.

ifconfig commandIf you don't know the IP address for the computer in a LAN you want to connect
to and it's your own computer you can find out easily by typing the ifconfig command in 'terminal'
of your computer.If it isn't your computer and the connection is welcome, the
polite way to find out is to ask whoever is using other computer to
type: ifconfig and tell you the output. Perhaps you will need to
do that by email if you are a long distance from the other computer.

I highlighted the IP address of the computer in yellow, inet addr:192.168.1.100

Shown in orange, is the hardware address or MAC address from the network card in the machine, HWaddr 00:C0:9F:C9:B1:F6 All
networking hardware comes with a MAC address, which is like a serial
number hard coded into the BIOS of the hardware. Ethernet cards,
routers, modems, switches and anything like that always have MAC
addresses. Normally they have a sticker on the box it came in when it
was new, also it might be printed on the hardware itself, and you can
find the MAC addresses of all the hardware in your LAN with Linux
networking software. It could be a good idea to copy down the MAC
addresses of your hardware and pin the note up on a wall for easy
reference.

First Time Connection to an SSH ServerYou will see a window like the one shown below the first ime

That's
because SSH software in the client computer, (the one you are making
the connection from), remembers the details of every server computer it
has ever connected to and it doesn't recognize this one.SSH warns you
about the fact that it doesn't recognize the computer you want to
connect to so if the other computer is not your own, you can go check
with the other computer's operator.If that's the right IP number
and the connection is welcome then it's normally safe to go ahead and
make the connection, especially if it's the first time. You can expect
to see this sign every time you make a new connection.

You may need to set static IP addresses in SSH 'server' computers in your LAN because of the security
feature explained above. SSH in your client computer records an ID (RSA)
number and IP address of every other computer yours has made connections to
in the past. (Known hosts). When you try to connect to them a second
time if everything is not identical to the information your computer
has stored, SSH 'smells a rat' and refuses to make the connection.Most routers these days can remember which computer is which and always
assign the same IP address to each one. If you have a router without that
feature you might need to set a static IP address in Ubuntu, the
router will not take care of it for you.

The IP addresses in your LAN may have been changed, possibly due to a router reset.
Run the ifconfig command to check and see if this could be your problem.

There are three or more ways to fix this.
either
a) delete all your ssh bookmarks and make new connections - this may be only a temporary solution
or
b) Take a look through your router's settings and read the
manufacturer's documentation. See if there's a way to get your DHCP
router to remember your server's mac address and assign the same IP address to your server.
c) Set static IP addresses, (instead of the router telling your PCs
which IP address they can have, your computer will tell the router what
IP address to give it.) This is more work to set up because you will
need to make settings in your router plus every computer, and also any
new computers that join your LAN too.

Getting to know your router is important if you want trouble free ssh' ing.

Access to a Windows NetworkUbuntu
comes with Samba client pre-installed, but not the server half of
Samba. It's no problem at all for any
Ubuntu computer to access shared folders on the Windows
network. All we need to do is configure any Firewalls in the Windows computers to allow the connection.Just go 'Places'-->'Network'-->Windows Network' and click on an icon.We don't need to install anything in Ubuntu to enable us to do that.

If you want your Windows box to be able to 'see' and access your Ubuntu operating system you need to install Samba Server.
You
need to set up the IP Tables filter (firewall) in Ubuntu before you install Samba server.I have never installed
Samba server in any of my computers, so I don't know what it's like, I
have only read about it. I would never be willing to
compromise my built in Linux security to that extent.Nevertheless, 'Samba' networking is very popular, lots of other people use it every day.

OpenSSH for Windows
. - I haven't tried it but I presume it would be possible not only
to connect between Windows boxes, but also between Windows
machines and Linux machines in an SSH network as well. It would be
worth a try if you have Windows computers.

IPtables are our Linux equivalent to what is called a 'firewall' in Windows. IPtables
are built right into the Linux kernel. We don't need to go and
download some external software that someone has for sale or for hire.

There is often a firewall debategoing on in Ubuntu forums about whether or not an added firewall is
needed for Ubuntu. I don't think I need a firewall for my purposes.Firestarter, is something we can install in Ubuntu.It might be a good idea to install Firestarter if you install any server software. Firestarter is not a stand-alone firewall that you need to add, but it is a very good GUI frontend for helping new users to
configure their IP tables more easily. It's really IPtables that does the work behind the scenes.Firestarted
can be installed through apt or Synaptic Package Manager or
'Applications, Add/Remove Programs'. There are some other similar
programs available too.Howto: Setup a Software Firewall in Linux using Firestarter - Techthrob.comIn Ubuntu, our IPtables are left unconfigured by default. When
we first install the operating system they aren't needed, because
Ubuntu doesn't come with any services installed, no ports are open
to the internet. As long as we don't open any services, Ubuntu is as
sealed as a nut.Most people probably don't even realize Ubuntu has a network filter (or 'firewall' if you prefer).If you want to take a look at yours, just do this,
Code:

herman@red:~$ sudo iptables -L

And here's what our unconfigured IPtables normally look like,

Chain INPUT (policy ACCEPT)target
prot opt
source
destination

Chain FORWARD (policy ACCEPT)target
prot opt
source
destination

Chain OUTPUT (policy ACCEPT)target
prot opt
source
destination

man iptables To learn more about iptables open a terminal and type: man iptables
The output from that command is about eight pages long and it's very
interesting if you have the time to read and inwardly digest it. There is a lot to learn about IP tables.I have links to some of the best web pages with how-tos and user guides for IPtabels further down this page.

I haven't configured my IP Tables at
all, and
I have installed SSH server. I want to check to see how safe I am on the internet. You can do this too. So let's go test our firewall.

'Shields Up!' is a well known internet firewall testing site, your Ubuntu system should pass
all tests as 100% stealth with or without any added firewall. I don't
use any added software firewall and mine is 100% stealth, and has
always been. It will tell you your external IP also.

Did your Ubuntu operating system pass all those tests? Mine did, ...but I was connecting through my router, and then through my broadband modem.Both my router and my broadband modem have 'hardware firewalls' built into them.
(I highly recommend the hardware firewalls in most routers), so it
could be that these firewall testing sites are only really testing my
'hardware firewall' in my router.

If you are connecting through a router too you can unplug your router and plug Ubuntu
into the broadband modem directly if you want and have another try!
(Some of you may need to revert back to DHCPfirst, to make a direct internet connection).
Stealth?
Try doing the specific port probe at 'Shields Up! on port 22, (the SSH port) now, still 100% Stealth?

CanYouSeeMe.org - Open Port Check Tool - Check just one port at a time - any port.
Given the results from the above tests, it would seem as if at least my
computers are already quite secure from the outside world, I'm not sure
about everyone else's. That depends on your equipment.

Port Scanning in Ubuntu (your other computers in your LAN)You should not install any
programs which open ports in Ubuntu other than SSH Server which does
open a port but one which is protected by password or RSA key. Open
ports for any services other than SSH make your operating systems
vulnerable to security threats. Ubuntu comes with no open ports when it
is installed.
When we have more than one Ubuntu computer in our network we can use each
one to scan the others for open ports. Port scanning is a
useful way to check on the security of all of the computers in your LAN.
Ubuntu comes with some very good
networking software of its own.I went 'System'-->'Administration'-->'Network Tools', and clicked on the 'Port Scan' tab.

You need to know the IP number for each of your other computers that you want to scan.The easiest way to get that is just to go to the other computer and run 'ifconfig'.
An alternative way would be to take a look at the IP address list in your router's control panel, see this webpage's: How to set up Routers and ADSL broadband modems under Linux.
Once you know an IP address to run a scan on, the scan only takes a few seconds.It is possible to detect an open port 22 that way when a system has SSH server installed.

If you find any other open ports you can look them up in either of these links to see what service they're probably for:

If you don't remember installing that service or if it's a service you
don't use then you should probably uninstall the service and that will probably close the
port.

herman@bookpc:~$ less /etc/services

It is best to keep your Ubuntu pure stealth.
If that's not possible and you really need to open any non-SSH ports then you need to configure a firewall.
NMapNMap
is a port scanner you can use for checking all the computers in your LAN for open ports.http://insecure.org/nmap/docs.htmlNmap is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager.A nice GUI front end is available for NMap too, it's called 'NmapFE', and is available through Add/Remove Applications, and probably apt-get and Synaptic too.WireShark. - http://www.wireshark.org/Wireshark
is installable in Ubuntu through apt-get, Add/Remove Programs or
Synaptic Package Manager. Wireshark is a packet sniffer, you can use
that to keep a watchful eye on the comings and goings of all the
packets in your LAN.

Connecting from another computer on the internet to a computer inside a home LANIf
your setup is anything like mine, you would need to open a port in the
broadband modem's firewall, and also a port in the router's firewall
before the incoming connection could be made.That
will expose your LAN to the internet. That's where
you might start needing to be more security conscious about computers in the LAN with open ports. What if a remote attacker can get into my LAN
from the internet ever did (theoretically) manage to get inside my LAN
through my Broadband Modem-Router's built-in firewall?
More commonly this could happen via a non-encrypted wireless connection from a local snoop with a laptop.Well, according to this link, Getting Started with SSH, they would still have a hard time cracking my SSH keys.Quote:

Essentially invulnerable means that it's commonly believed that if
they were really, really motivated, the National Security Agency could crack a
SSH session key within a year, if they didn't do any other cryptographic
cracking during that time, devoting all resources to you. This would
give them access to up to an hour of one of your sessions, provided all packets
were recorded. The exact number of CPUs, hours and dollars required is hard
to estimate, but is outrageously in excess of any credible threat to you.

MAC AddressesIf you want to see your network card's MAC address, use the ifconfig command.MAC
addresses are like serial numbers that are hard coded into each piece
of networking hardware. They are used to identify your computer's
network card, your router, ethernet switching hub, broadband
modem-router, and any other piece of networking hardware you can think
of.
They can be used to identify your equipment on the LAN or
internet too. The MAC address might be compared with a license (number)
plate on a car.
More: MAC address - Wikipedia, the free encyclopedia

ADSL is short
for 'Asymetrical Digital Subscriber Line'. 'A' stands for
'Asymetrical', because it's set up so that downloading is faster than uploading.'D' is for 'Digital',
(instead of analog or ISDN). 'SL' is short for 'Subscriber Line',
which just means a phone wire. Using Digital means we can have the phone
plugged in and
use it while the computer is on-line since it's a different frequency. Our phone wires can
carry about 200 times the amount of information using digital signals compared to analog too.

The speed of internet connections are stated in KiloBits per
second is written like: 256/64 kbps, or 512/128 kbps. One kilobit is roughly about 1/10 of a Kilobyte.The Data Transfer Rate Conversion Table.

Client Computer
In simple terms, the 'client' computer is the computer that is asking some other computer for a connection.
Ubuntu
comes
with the client half
of all kinds of networking
software already installed 'out of the box', but not the 'server' half.
Imagine a telephone that has no bell. You can use it to call any other 'phone, but it can't receive any incoming calls.
In
other words, Ubuntu can
make connections to other computers that are open, (like a phone can
make outgoing calls), but it can't receive any incoming
connections. We need to install the 'server' side of the networking software for that to work, (for Ubuntu to be open to some kind of a connection).
We can easily log
into any other computer that has any kind
of 'server' installed, but no other computers can log into ours.
The default instalation of Ubuntu is very secure.

Server Computer
In simple terms, the 'server' computer is the one that will be receiving the connection, something like a telephone when you recieve a call.
The server needs to have some kind of software installed in it to
enable it to accept incoming connections. Adding server
software will open a 'port' in your computer and allow your computer to
accept connections from another computer. Ubuntu doesn't ship with
any 'services' enabled by default. It
is possible that this might include potentially unwelcome intruders,
especially if
you're connected to the internet and you're not protected by a
modem-router firewall.
Within a protected LAN, SSH is the safest kind of networking
for beginners providing have good strong passwords because it is password based. A firewall is not required with SSH (Secure
SHell) networking
as long as you have strong passwords or better still, RSA keys.
As soons as you join a larger network or the internet then you at least
need to disable password logins and use RSA keys instead and start
thinking about other security strategies as well.

Choosing a Server
You may
need a powerful computer for a busy corporate network that might be
accessed by a large number of clients simultaneously, but for a home or
small business your server will be idle most ot the time.
Sometimes an older
computer makes a good home server, that way it can still be used for
something and that's better than just throwing it away. Just because it
has server software in it doesn't mean it can't have a mouse and
keyboard and a monitor. You can still keep using it as a regular
computer if you want. If it's an older computer and it doesn't have a
good graphics card though, it's less likely to be wanted for
everyday computing needs and can still perform a useful role living out
the rest of its life as a server.

Servers tend to be left running all the time, you can't access a server
that has been shut down, (well not unless you also set up booting by
ethernet, that's a subject I'll skip for now). Your spare computer
would need to be left running even when it's idle, making noise,
heating up the air and adding to
the electricity bill.
Another idea would be to use a computer that's on a lot anyway. My
wife's
computer would be a good choice in my house because she's a heavy
computer user and leaves her
computer runnning most of the time anyway. I can count on her leaving
it on for me when I need access. Even if she does shut it down I can
phone her to have it turned on if necessary. That way I can save some
electricity by not having a dedicated server left running idle all the
time for no good reason.

DHCP
Most routers now feature DHCP, and it can be turned on or off in the router's settings.
Most people would normally just leave it turned on unless they were doing something special.
The opposite of DHCP is a static or fixed IP address.DHCP -Dynamic Host Configuration Protocol
One of the important
settings we use in our computers to enable our computers to be able to
access the router or the ADSL modem, which accesses the internet, is 'DHCP'.
DHCP is enabled in Ubuntu by default and if the next piece of equipment up the
line is enabled as a DHCP server, then our computer will automatically accept
whatever IP address the upstream equipment such as the router or the
ADSL broadband modem-router wants to offer it.
If
you make the computer insist it's IP address is one number while the
equipment it is trying to connect to is trying to force it to accpet
some other number you probably won't be able to make a connection.

If you want to check you can always just go
'System'-->'Administration'->'Network', and after you type your
password you'll see this 'Network Settings' box here, and if you click the
'Properties' button you'll get this other box illustrated below.

ssh001.png

MDI/MDIX
If your equipment supports
'auto MDI/MDIX', that means it doesn't matter if I use plain or
crossover CAT5 ethernet cables, it will automatically sense whatever is
used and adjust itself accordingly. With some equipment, especially
older equipment, you might find that it is important to use the (red)
crossover cable, or you won't be able to connect the switch to the
broadband modem.

Crossover Cable

A 'crossover cable is the same as a plain ordinary cat5 ethernet cable
but when the cable is made some of the wires are crossed over (joined
to opposite terminals in the plugs).
See Ethernet Crossover Cables - Wikipedia

Old equipment - a single port ADSL Broadband modem required the
use of a separate ethernet hub in order to serve more than one
computer.

The red cable is a 'crossover cable', and was required between the
ethernet switch and the old broadband modem. Modern equipment features auto MDI/MDIX , so crossover cables are no longer needed except for connecting two computers directly, see SSH with Simple Hardware.

dns_alternative

DNS Alternative Workaround:This
is possibly a little bit silly but before I went and got my own DNS
account I thought of alternative way to solve the dynamic IP address
problem.

I can have my home computer send me emails at regular intervals addressed to
myself.
When I'm away I then receive the email in my laptop, netbook or USB flash memory stick. All emails have the senders IP address in them and you can see that if you open the
email and click 'View'-->'Message Source'.

Set the home PC's Evolution email application to not check for new mail automatically.
Otherwise even if you do let it check for new
mail, make sure the home PC's Evolution will at least leave a copy of it on the
server.
These
settings are in 'Edit'-->'Preferences', in Evolution. Click on your
account, and click 'Edit', and go to the receiving options tab.

There are a few
different programs that can be used to send email from the command
line, and that means they can be set up in a crontab to cause them to
be send out at regular intervals, or any times we decide to set.The email program I use is 'sendEmail'.

SendEmail can be installed with apt-get or Synaptic in Ubuntu and it is quite simple to use.

herman@silver:~$ sudo apt-get install sendemail

Here's how to send an email to yourself with sendEmail, from the command line,
example,

Where: -f user@bigpond.net.au is the email address it's being sent from
Where: -t user@bigpond.net.au is the email address it's being sent to
Where:
after the -o option, hello.txt is a plain text file containing a
message.
Just make your own text file with any message in it. It doesn't matter what the message contains.
Maybe send your self a reminder of what port numbers your home router is using for each PC's SSH port to make it useful.
Where: -s is your mail server, that depends on your ISP.
For more info: Send an email at start up that contains my IP - Ubuntu Web Forums.

Now
that you know how to send yourself an email from the command line, you
can probably figure out how to use crontab to do the same thing. If you
don't know how to set up crontab, look here: Configure 'crontab'

How to send an email to yourself with sendEmail, from crontab,
example,

Where: you will send your self an email at 06:00 every day. You might
want to make more of these. One every four hours or very six hours or eight hours or
whatever.

Why do we need to send ourselves an email?
So
we can receive our own email from a remote location and discover
our home LAN's current IP address when we have a dynamic IP.
How?
Open the email and click 'View'-->'Message Source', and the IP address will be there.

===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+
PARKING AREA FOR TEMPORARILY UNWANTED SENTENCES AND PARAGRAPHS

It's
important to set Evolution in the home PC so it will not check for
mail automatically. If it does it might grab the message it sent itself and wipe it off the server.